Re: [Full-disclosure] Metrica Service Assurance Multiple Cross Site Scripting



2008/11/9 rholgstad <rholgstad@xxxxxxxxx>:
post auth xss

*yawn*

I don't quite see your point about it being post auth.
The URLs provided don't seem to have csrf tokens or anything else that
actually requires an attacker to have an account, so all you need to
do is find an authed victim, which is what you would have to do anyway
since attacking unauthed victims is usually pretty pointless (not that
you can't still perform useful attacks, but they're not always
possible or simple).

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/